As company leaders have become better educated about the evolving nature of cyber threats, preparedness for addressing cyber risks has continued to improve.

According to PwC’s The Global State of Information Security Survey 2017, 50% of organizations now share with and receive more actionable information from industry peers. Meanwhile, as corporate boards have become more engaged in cyber security discussions, spending on cyber initiatives has risen 24%, according to the same study.

Still, while organizations have become more collaborative in sharing information about enterprise risks and are spending more on cyber security initiatives, the industry still has a long way to go, said Larry Clinton, President & CEO, Internet Security Alliance. Clinton will be speaking at the 2017 Atlanta CISO Executive Leadership Summit on September 27.

“The reality is that most corporate boards have not yet grasped this so there’s still a long way to go in making progress,” said Clinton. From an economic perspective, cyber-attacks are relatively cheap to launch, easy to access and incredibly profitable, he explained. “On the defensive side, we’re almost a generation behind the attackers. We’re dealing with an inherently porous system.”

Meanwhile, law enforcement officials are overwhelmed with the volume of cyber-attacks they’re attempting to investigate and prosecute.

“We prosecute 1%-to-2% of cyber criminals. It’s not that law enforcement isn’t good at this but they are overwhelmed. We lost somewhere between $500 billion to $1 trillion in revenues last year and we’re estimated to lose about $2 trillion this year,” said Clinton.

Getting everyone on the same page

Part of the challenge from an inter-organizational perspective is that each function (HR, finance, IT) approaches cyber security differently and they often don’t communicate well with one another regarding cyber risks, explained Clinton.

“We’re organized like it was the 1950s. There’s a finance department, a marketing department, a legal department and they often don’t talk,” said Clinton. “Cyber risk management needs to be managed across these major functions by a single executive, such as a COO or a Chief Risk Officer. What we’re now seeing from leading organizations is an understanding that this isn’t an IT issue – it’s an enterprise-wide risk issue,” said Clinton.

Clinton also believes that the public and private sectors need to work more closely together in sharing threat intelligence and in an environment that’s mutually beneficial for all stakeholders.

“We need to evolve to a completely different government-industry relationship so that industry doesn’t get its hand slapped if they are attacked,” said Clinton. “Plus, it’s not the corporation’s job to protect national security, so we have to figure out ways to support both interests.”